+ assert_changesets [1,4]
+
+ get :query, :bbox => "4.5,4.5,4.6,4.6"
+ assert_response :success, "can't get changesets in bbox"
+ assert_changesets [1]
+
+ # can't get changesets of user 1 without authenticating
+ get :query, :user => users(:normal_user).id
+ assert_response :not_found, "shouldn't be able to get changesets by non-public user"
+
+ # but this should work
+ basic_authorization "test@openstreetmap.org", "test"
+ get :query, :user => users(:normal_user).id
+ assert_response :success, "can't get changesets by user"
+ assert_changesets [1,3,4]
+
+ get :query, :user => users(:normal_user).id, :open => true
+ assert_response :success, "can't get changesets by user and open"
+ assert_changesets [1,4]
+
+ get :query, :time => '2007-12-31'
+ assert_response :success, "can't get changesets by time-since"
+ assert_changesets [1,2,4,5]
+
+ get :query, :time => '2008-01-01T12:34Z'
+ assert_response :success, "can't get changesets by time-since with hour"
+ assert_changesets [1,2,4,5]
+
+ get :query, :time => '2007-12-31T23:59Z,2008-01-01T00:01Z'
+ assert_response :success, "can't get changesets by time-range"
+ assert_changesets [1,4,5]
+
+ get :query, :open => 'true'
+ assert_response :success, "can't get changesets by open-ness"
+ assert_changesets [1,2,4]
+ end
+
+ ##
+ # check that errors are returned if garbage is inserted
+ # into query strings
+ def test_query_invalid
+ [ "abracadabra!",
+ "1,2,3,F",
+ ";drop table users;"
+ ].each do |bbox|
+ get :query, :bbox => bbox
+ assert_response :bad_request, "'#{bbox}' isn't a bbox"
+ end
+
+ [ "now()",
+ "00-00-00",
+ ";drop table users;",
+ ",",
+ "-,-"
+ ].each do |time|
+ get :query, :time => time
+ assert_response :bad_request, "'#{time}' isn't a valid time range"
+ end
+
+ [ "me",
+ "foobar",
+ "-1",
+ "0"
+ ].each do |uid|
+ get :query, :user => uid
+ assert_response :bad_request, "'#{uid}' isn't a valid user ID"
+ end
+ end
+
+ ##
+ # check updating tags on a changeset
+ def test_changeset_update
+ changeset = changesets(:normal_user_first_change)
+ new_changeset = changeset.to_xml
+ new_tag = XML::Node.new "tag"
+ new_tag['k'] = "tagtesting"
+ new_tag['v'] = "valuetesting"
+ new_changeset.find("//osm/changeset").first << new_tag
+ content new_changeset
+
+ # try without any authorization
+ put :update, :id => changeset.id
+ assert_response :unauthorized
+
+ # try with the wrong authorization
+ basic_authorization "test@example.com", "test"
+ put :update, :id => changeset.id
+ assert_response :conflict
+
+ # now this should work...
+ basic_authorization "test@openstreetmap.org", "test"
+ put :update, :id => changeset.id
+ assert_response :success
+
+ assert_select "osm>changeset[id=#{changeset.id}]", 1
+ assert_select "osm>changeset>tag", 2
+ assert_select "osm>changeset>tag[k=tagtesting][v=valuetesting]", 1
+ end
+
+ ##
+ # check that a user different from the one who opened the changeset
+ # can't modify it.
+ def test_changeset_update_invalid
+ basic_authorization "test@example.com", "test"
+
+ changeset = changesets(:normal_user_first_change)
+ new_changeset = changeset.to_xml
+ new_tag = XML::Node.new "tag"
+ new_tag['k'] = "testing"
+ new_tag['v'] = "testing"
+ new_changeset.find("//osm/changeset").first << new_tag
+
+ content new_changeset
+ put :update, :id => changeset.id
+ assert_response :conflict